I've seen it happen sporatically during reboots, so its something that just isn't safe to do on an extended basis.
------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 14, 2003 9:37 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Locking down network access > > > Thanks for the advice, it has been perfect in production for > 6 months in multiple ssites, but that could be because of our > configuration withlimited services. > > -------------------------- > Sent from my BlackBerry Wireless Handheld > > > > ----- Original Message ----- > From: ActiveDir-owner > Sent: 02/14/2003 07:16 AM > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Locking down network access > > > * Value: some number between 1025 and 65534, we > > will standardize on "1025" > > You REALLY need to change that. > > Ephemeral ports (ie 1024 and above) are assigned on a first > come, first > served basis. While it hasn't happened yet, it is VERY > possible (I'd say > probable) that, depending on service startup order, a > different service > could grab port 1025 before the replication service kicks in, > and it will > cause that service to fail. I've seen it happen plenty of > times in the past. > > Its far safer to choose static high ports over 1500-2000 for > such things. > The first few dozen are so often used that relying on them > for permanent > assignment is asking for trouble. > > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 13, 2003 4:44 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] Locking down network access > > > > > > > > There is a technote out there but this may help > > > > > > How to enable communication from a Windows OS Active > > Directory Client to the Active Directory Server across a firewall > > > > The following ports will be used for outbound communication > > from the client to the server. This assumes that a stateful > > firewall is being used to allow inbound communication from > > the server. > > > > > > * DNS will be using TCP and UDP port 53 > > * Network Time Protocol (NTP) if required uses TCP port 123 > > * Microsoft's implementation of Kerberos will be using > > TCP and UDP port 88 (Note this may be non-standard compared > > to the MIT Kerberos implementation) > > * The EndpointMapper for RPC services will use TCP port 135 > > * LDAP will use TCP port 389 and Microsoft uses an LDAP > > "ping" on UDP port 389 > > * Server Messaging Block services (SMB, SAMBA) will use > > TCP port 445 > > * Global Catalog services use TCP port 3268 - this should > > be necessary when logging into forests with more than one domain > > * The last port is used for Active Directory Logon and > > replication. Normally this is a dynamic port. For security > > reasons this should be configured to use a static port, so > > that the firewall rules can be specific. To configure this > > open the registry on each Domain controller that needs to be > > contacted through the firewall. Navigate to the following Key > > - > > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Para > > meters Add a new value with the following properties: > > > > * Value Name: "TCP/IP Port" > > * Data Type: "REG_DWORD" > > * Radix: "Decimal" > > * Value: some number between 1025 and 65534, we > > will standardize on "1025" > > > > > > Additional configuration will be needed for specific > > application access and use, such as Exchange > > > > > > > > > > "Brad Martin" <[EMAIL PROTECTED]> > > Sent by: [EMAIL PROTECTED] > > > > 02/13/2003 04:37 PM > > Please respond to ActiveDir > > To: "Active Directory Mailing List" > > <[EMAIL PROTECTED]> > > cc: > > Subject: [ActiveDir] Locking down network access > > > > > > > > Does anyone have a list of what ports need to be open > > on a firewall to access things like Active Directory, WINS, > > DNS, mapping drives, etc.? We need to lock down a section of > > our network and we only want to let the bare minimum through > > our firewall. Thanks. > > > > Brad Martin > > Go Daddy Software, Inc. > > 480.505.8800 ext. 250 > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > http://www.godaddy.com <http://www.godaddy.com/> > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
